Legitimize Your Mobile App: Get It Signed : Page 2

Obtaining a Key
Typically, you obtain a key from a certificate authority, a company whose business is verifying who you claim to be and issuing electronic certificates with cryptographic keys that represent that fact. While there are a number of companies that do this, the three most widely known are VeriSign, Thawte, and GeoTrust. Obtaining a certificate will take time and money, because you're asking one of these firms to originate a key and sign it with their root certificate. While costs vary, expect to pay a few hundred dollars per year and experience a latency of a few days while you get the paperwork in order (typically exchanging photocopies of photo ID, business statements, or phone calls so that the certificate authority can verify that you are who you claim). Moreover, many of the code signing keys you obtain are good only for a set number of usesyou're not given the privilege of signing an unlimited number of applications, and the certificate you obtain is good only for a certain period of time. Thus, maintaining your key is an ongoing part of your business, just like ensuring your Internet domain name remains registered.

When selecting vendors to provide keys for application signing, be carefulit's emphatically not one-size-fits-all. Different devices require different kinds of keys, and if you're a cross-platform application publisher, expect to obtain different keys for different platforms. This can significantly increase the out-of-pocket expense for an independent developer, so it's something to plan for if you're flying solo and planning on releasing your product on multiple platforms.

While you're developing your application on some platforms, signing with a self-generated key is an option. You can generate a key for self-signing using the Java keytool command, included with the Java Developer Kit (JDK) you need for developing applications for platforms including Android and Java ME.

To generate an untrusted key for self-signing, invoke keytool like this:

Using keytool, you need to specify an alias, which is the unique name for the key, and the validity (how long the certificate will remain valid in days). For example, this generates a new key in the keystore keys with the alias Yoyodyne using the RSA algorithm that is valid for 10,000 days:

[cdr:/tmp] kf6gpe% keytool –keystore keys -genkey -alias Yoyodyne -keyalg RSA -validity 10000
Enter keystore password: password
What is your first and last name?
[Unknown]: Ray Rischpater
What is the name of your organizational unit?
[Unknown]: Development Team
What is the name of your organization?
[Unknown]: Yoyodyne
What is the name of your City or Locality?
[Unknown]: San Lorenzo Valley
What is the name of your State or Province?
[Unknown]: CA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=Ray Rischpater, OU=Development Team, O=Yoyodyne, L=San Lorenzo Valley, ST=CA, C=US correct?
[no]: yes
Enter key password for <Yoyodyne>
(RETURN if same as keystore password):
[cdr:/tmp] kf6gpe%

Of course, you should supply your own identifying information to keytool's prompts.

As important as creating the key is, it's equally important that you safeguard it after it's created (or sold to you by a certificate authority). Your reputation as a professional developer hinges on the key, because it's part of the chain of trust between you and your customers. You should take appropriate precautions, including:

When using a system shell and a program like keytool to generate a key, do not specify the passwords on the command line, because they are kept in the shell's history.

Do not give or lend anyone your key.

Keep backups of your key store in a secure location.

Use the same certificate for different versions of the same application on the same platform. Not only does this save you money, but on some platforms (Google's Android, for example) it's required for application upgrades.